Hackers can turn your home appliances against you

The LG Smart Home system allows users to communicate with home appliances via text message. Cybersecurity experts have said the technology may also be a portal of vulnerability to hackers.

Photo By Ethan Miller / Getty Images

A “smart” refrigerator, such as this one using LG's Smart ThinQ technology shown at the Consumer Electronics show this month, may be one of the myriad ways hackers find their way into our homes, say cybersecurity experts.

SAN FRANCISCO — That spam that fills your email inbox might be coming from inside your home — sent by a TV, a wireless router — or even a refrigerator that's been turned against you.

Computers and smart phones have long been the target of hackers, but a recent cyberattack exploited security holes in more than 100,000 Internet-connected home devices and used them to transmit some 750,000 spam and phishing e-mails over two weeks in late December and early January, according to Proofpoint, a Sunnyvale, Calif., spam-detection company that discovered the attack.

More and more devices are connecting to the Web, forming what tech insiders call the “Internet of Things.” It's a booming sector in the tech industry, with Google snatching up connected-home appliance company Nest Labs Inc. for $3.2 billion in cash this week. Analysts say the Internet of Things is slated to be worth $1.9 trillion and include 26 billion devices by 2020, according to analysts. But each new online gadget, whether it's a phone-controlled thermostat or a Wi-Fi-enabled wristwatch, is a potential target.

The brunt of the recent attack, which spanned from Dec. 23 to Jan. 6, still relied on compromised personal computers to send malicious emails. But about 25 percent of the messages went out from other connected devices including gaming consoles, wireless speakers, televisions and at least one refrigerator, the company said. Proofpoint said this was the first attack it has seen that used household “smart” appliances.

The attack used the devices to relay emails, but didn't affect their operations in the home.

“Hackers aren't going to go in and turn up your thermostat to 100 degrees, but if they can go in and leverage that device, if they can use it for something else, there's that possibility,” said Michele Borovac, a security expert at Mountain View, Calif.-based HyTrust. “As we see technologies grow and improve and see more things connected to the Internet, we're going to see attacks grow.”

Hackers are “wily” and will use whatever opportunities they can find, she said. Basic security checks usually catch compromised machines because their IP addresses show unusual activity, but in this case the attackers escaped detection by never sending more than 10 emails from a single IP address.

What makes the attack so alarming is the fact most consumers don't monitor their connected appliances the same way they do their computers and phones, said Proofpoint's information security manager David Knight. For instance, when is the last time you checked the antivirus software on your television?

“Unlike PCs that have interfaces and antivirus software and all kinds of things that the consumer accesses every day, these devices don't have regular capabilities to be actively updated and protected,” Knight said. “Some don't even really have a screen, so how do I know if something's wrong? If my PC's infected, it's going to run slowly, I'm going to see something on my screen; but that's not the same for a fridge.”

Security for connected devices likely will catch up with the attacks, Knight said, but the vulnerability shouldn't have been a surprise.

“The significance of the news isn't this attack — these attacks happen all the time, and it wasn't a particularly large one,” Knight said. “What was significant was that researchers have been warning that these new connected smart devices were going to be susceptible to these kinds of breaches, and we were able to show that the theory has turned into reality.”